The most recent statistics around data breaches in healthcare are alarming. Healthcare is the industry most often infected by ransomware, and experts predict an increase in cyber-attacks through 2019. The financial impact of recent attacks as well as the implications of suffering a data breach in healthcare are significant. Understanding them will help you know what you can do to protect your practice.
A 2017 report showed that one-fifth of small businesses (22%) infected with ransomware were crippled to the point of ceasing operations. The same report indicated that 75% of small businesses saw ransomware as a priority but less than half of them felt prepared to deal with the threat on their own.
Small business also bore the lion’s share of attacks (71%), likely because large companies are investing heavily in security and compliance. Attackers are shifting their focus to the path of least resistance and recognizing the value of healthcare information that’s often more easily acquired.
The 2019 Data Breach Investigation Report from Verizon states that healthcare is the only industry in which internally initiated breaches outweigh breaches caused by outside actors. According to the report, 59% of breaches in healthcare began inside the organization while 42% were from external actions, 4% started with partners and 3% were the result of actions by multiple parties.
The Report identifies three predominant categories of healthcare data breaches, stating that Miscellaneous errors (26%), privilege misuse, and web applications represented 81% of incidents. Of the miscellaneous errors, misdirection (sending information to the wrong person or organization) is the most common.
This data highlights a training issue. Staff must be aware of the implications of mishandling patient information and educated about the policies and procedures established to safeguard the personal data entrusted to your organization.
Patient records can be worth up to $150 on the black market so it’s no surprise that the Version Report showed that 83% of the breach actor motives were financial. Paired with the fact that 56% of breaches were internally initiated, that means some of the internal attackers were looking to make money on the side from selling private health information. In fact, in June of 2019, Desjardins Insurance announced that an employee improperly accessed and shared the information of 2.7 million individuals for profit.
Other motivations for healthcare data breaches identified by the Report were: fun (6%), convenience or cutting corners (3%), grudge (3%), and espionage (2%).
The data compromised in the breaches was primarily medical (72%), but also personal (34%), and login credentials (25%) which is concerning as attackers were clearly looking to gain access to further confidential information by impersonating healthcare professionals.
The breach of a patient’s health information can be very damaging. There are several categories of risk identified in privacy legislation that you need to assess in order to determine whether a breach must be reported.
The patient risks you need to assess can include bodily harm, humiliation, damage to reputation or relationships, loss of employment, business or professional opportunities, financial loss, identity theft, negative effects on the credit record and damage to or loss of property.
The risks for your clinic are reputation damage, financial loss, professional sanctions, lawsuits, and even clinic closure.
With so many breaches of health information happening due to error, it is imperative that you train clinicians and staff on a regular basis. Look for a training program that covers the relevant regulations and explains all responsibilities based on role. You’ll also want to know that the privacy compliance training program you use is regularly updated.
Assess the risk to the confidentiality of the patient information in your care by completing a Privacy Impact Assessment (PIA). A professionally prepared PIA will provide you with risk mitigation strategies around the collection, use, and disclosure of information as well as physical, technical and administrative safeguards that block privacy breaches in your clinic.
Implement an Information Manager Agreement (IMA) with any vendor that access the information in your care. The agreement should lay out their responsibilities for keeping information safe as well as hold them accountable for breaches that are their fault.
Navigating the complex world of privacy compliance in healthcare is difficult. Especially when it is only one part of your responsibilities. Developing expertise in compliance comes with years of experience working with the regulations in different environments.
The Brightsquid privacy support team is made up of certified professionals who have worked with hundreds of clinics to establish and maintain privacy compliance. Contact us at firstname.lastname@example.org to learn how you can engage our team to protect your practice from patient data breaches.